New Ransomware Attacks Install Malicious Gigabyte Drivers To Disable Antivirus

  •  
  •  
  •  
  • 3
  •  
  •  
  •  
    3
    Shares

Another wave of ransomware attacks are targeting systems with a novel strategy. As discovered by researchers, the new ransomware campaign installs malicious Gigabyte drivers on target devices to evade defense mechanisms.

Ransomware Campaign Uses Malicious Gigabyte Drivers

Researchers from the Sophos Labs have unveiled an active ransomware campaign exploiting Gigabyte drivers. As shared in their report, the new ransomware attack evades security checks by installing malicious Gigabyte drivers on target systems.

The researchers investigated two different ransomware incidents involving Robinhood ransomware. In both cases, the attackers also installed signed drivers on the systems to disable the antivirus solution or any other security program.

Digging further revealed that the attackers have exploited a known vulnerability CVE-2018-19320 in the Gigabyte drivers. While the vendors have withdrawn the vulnerable drivers, the drivers still exist. Moreover, the drivers still bear digital signatures from Verisign who have not revoked the certificates. Thus, the attackers continue to exploit the drivers for waging ransomware attacks on high-profile targets.

As stated by the researchers,

In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows. This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference.

The malware places numerous files to the ‘temp’ folder of the target system, which then further execute malicious activities. The table below gives a quick glimpse of these files.

malicious Gigabyte drivers
Source: Sophos

More details about the attack scenario are available in the researchers’ post.

Possible Mitigations

Earlier, having a robust antimalware solution was considered sufficient for protecting against a malware/ransomware attack. However, now, when more and more ransomware are adopting different tactics to evade security checks, an antivirus no more remains a dependable solution. The same applies to Robinhood ransomware attacks as well.

Therefore, Sophos recommends employing multiple measures to ensure security. These include the use of multi-factor authentication, having complex passwords, restricting access of users to critical systems/networks, maintaining up-to-date backups, and limiting RDP.

Users must also ensure activating the Tamper Protection feature of their respective security solution to prevent any malware from disabling the endpoint security.

Let us know your thoughts in the comments.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!